The Dutch National Police seized the network infrastructure for the Redline and Meta infostealer malware operations in “Operation Magnus,” warning cybercriminals that their data is now in the hands of the law enforcement.
Operation Magnus was announced on a dedicated website that disclosed the disruption of the Redline and Meta operations, stating that legal actions based on the seized data are currently underway.
“On the 28th of October 2024 the Dutch National Police, working in close cooperation with the FBI and other partners of the international law enforcement task force Operation Magnus, disrupted operation of the Redline and Meta infostealers,” reads a short announcement on the Operation Magnus site.
“Involved parties will be notified, and legal actions are underway.”
Redline is an affordable yet poweful [sic] Windows information-stealing malware has been sold to cybercriminals since 2020, causing widespread theft of victim’s passwords, authentication cookies, cryptocurrency wallets, and other sensitive data.
Meta (not to be confused with MetaStealer), is a newer Windows infostealer malware project announced in 2022, marketed as an improved version of Redline.
The stolen credentials are then used or sold to other threat actors to cause network breaches, ranging from massive data breaches to ransomware attacks that cause widescale disruption of the U.S. healthcare system.
A joint report by Specops and KrakenLabs says that threat actors have used Redline to steal over 170 million passwords in just a six month period.
Politie says they were able to disrupt the operation with the help of international law enforcement partners, including the FBI, NCIS, the U.S. Department of Justice, Eurojust, the NCA, and the police forces in Portugal and Belgium.
The agencies published the following video, announcing the “final update” for Redline and Meta users, warning that they now have their account credentials, IP addresses, activity timestamps, registration details, and more.
This makes it clear that the investigators hold evidence that can be used to track down cybercriminals who used the malware, so arrests and prosecutions are likely to be announced in the future.
Moreover, the authorities claimed they got access to the source code, including license servers, REST-API services, panels, stealer binaries, and Telegram bots, for both malware.
As they stated in the video, both Meta and Redline shared the same infrastructure, so it’s likely that the same creators/operators are behind both projects.
Although there has been some doubt about the authenticity of the announcements initially, Europol and the NCA have confirmed to BleepingComputer that the operation is legitimate.
Malware researcher g0njxa told BleepingComputer that both Redline and Meta were sold through bots on Telegram, which have now been deleted.
More information about the operation, seized infrastructure, and potential arrests, is scheduled to be released to the public tomorrow.
This is a developing story.